b"         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       EPA Needs to Improve Oversight of\n       Its Information Technology Projects\n\n       Report No. 2005-P-00023   \n\n\n\n       September 14, 2005\n\n\x0cReport Contributors:\t              Eric Lewis\n                                   Rudolph M. Brevard\n                                   Michael Wall\n                                   Dwayne Crawford\n                                   Rae Donaldson\n                                   Neven Morcos\n\n\n\n\nAbbreviations:\n\nCAMDBS       Clean Air Markets Division Business System\n\nEPA          Environmental Protection Agency\n\nFinRS        Financial Replacement System\n\nIGMS         Integrated Grants Management System\n\nIRM          Information Resources Management\n\nOEI          Office of Environmental Information\n\nOIG          Office of Inspector General\n\nOMB          Office of Management and Budget\n\x0c                        U.S. Environmental Protection Agency                                            2005-P-00023\n\n                        Office of Inspector General                                                September 14, 2005 \n\n\n\n\n\n                        At a Glance\n                                                                           Catalyst for Improving the Environment\n\nWhy We Did This Review            EPA Needs to Improve Oversight of Its\n                                  Information Technology Projects\nWe sought to determine\nwhether the processes used by\n                                   What We Found We Found We Found\nEnvironmental Protection\nAgency (EPA) managers to\n                                  EPA\xe2\x80\x99s Office of Environmental Information (OEI) did not sufficiently oversee\noversee the development of\n                                  information technology projects to ensure they met planned budgets and\ninformation technology\n                                  schedules. The increased cost and schedule delays for the projects we reviewed\nprojects helped produce\n                                  may have been averted or lessened with adequate oversight. PeoplePlus cost at\nintended results. We also\n                                  least $3.7 million more than originally budgeted and took 1 year longer than\nsought to determine how well\n                                  planned to deploy. Modifications to developing the Clean Air Markets Division\nAgency management\n                                  Business System have already increased costs about $2.8 million and extended the\nmonitored these projects.\n                                  target completion date by 2 years.\nBackground\n                                  Following implementation of the Clinger-Cohen Act, the Agency did not revise\nTo help ensure EPA manages        procedures under Chapter 17 of the Information Resources Management (IRM)\nits information systems in a      Policy Manual to have the Chief Information Officer evaluate information\ncost-effective manner, life       technology program performance. Also, EPA did not include responsibilities\ncycle development guidance        under its Interim Policy that required the Chief Information Officer to evaluate the\nrequires management               performance of the Agency\xe2\x80\x99s information technology program. In addition,\ninvolvement at key decision       requirements under the Agency\xe2\x80\x99s Capital Planning and Investment Control\npoints. These decisions must      Process, governed by OEI, did not ensure necessary project documentation.\nbe documented by EPA              Consequently, OEI did not know that System Sponsors did not require System\nmanagement in the system          Managers to completely document risks associated with system development.\ndecision documents before the     The lack of project documentation prevents the appropriate level of oversight for\nsystem may advance from one       the different phases of development, and results in decision makers not having the\nphase of development to the       information needed to make fully informed decisions regarding project risks.\nnext.\n                                  What We Recommend We Recommended We Recommend\nFor further information,\ncontact our Office of             We recommend that OEI revise its Interim Policy to include the Chief Information\nCongressional and Public          Officer having responsibility for conducting independent reviews of Agency\nLiaison at (202) 566-2391.\n                                  information technology projects. We also recommend that OEI revise procedures\nTo view the full report,          under the Interim Policy to define requirements of specific life cycle\nclick on the following link:      documentation and address risk elements. Further, OEI should ensure formal\n                                  procedures are followed to make certain that System Managers prepare required\nwww.epa.gov/oig/reports/2005/\n                                  system life cycle documentation, and that System Owners review and approve that\n20050914-2005-P-00023.pdf\n                                  documentation before projects advance between life cycle phases. During our\n                                  review, OEI officials acknowledged their oversight of information technology\n                                  projects could be strengthened, and said they would initiate corrective action.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                                       OFFICE OF \n\n                                                                                  INSPECTOR GENERAL\n\n\n\n\n                                       September 14, 2005\n\nMEMORANDUM\n\nSUBJECT:              EPA Needs to Improve Oversight of Its Information Technology Projects\n                      Report No. 2005-P-00023\n\nFROM:                 Rudolph M. Brevard /s/\n                      Acting Director, Business System Audits\n\nTO:                   Kimberly T. Nelson\n                      Assistant Administrator for Environmental Information\n                        and Chief Information Officer\n\nThis is our final report on the oversight of information technology projects audit conducted by\nthe Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA).\nThis audit report contains findings that describe problems the OIG has identified and corrective\nactions the OIG recommends. This report presents the opinion of the OIG, and the findings in\nthis report do not necessarily represent the final EPA position. EPA managers, in accordance\nwith established EPA audit resolution procedures, will make final determinations on matters in\nthis report.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days of the date of this report. You should include a corrective action\nplan for agreed upon actions, including milestones dates. We have no objections to further\nrelease of this report to the public. For you convenience, this report will be available at\nhttp://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact me at (202) 566-0893\nor Dwayne E. Crawford, project manager, at (202) 566-2894.\n\x0c                                  Table of Contents \n\nAt a Glance\n\n\nChapters\n   1\t   Introduction ...........................................................................................................      1    \n\n\n                Purpose ..........................................................................................................    1\n                Background ....................................................................................................       1\n                Scope and Methodology.................................................................................                3\n\n                Results in Brief ...............................................................................................      4\n\n\n   2\t   OEI Needs to Improve Oversight of Information Technology\n\n        Project Development ............................................................................................              6\n\n\n                Oversight of Information Technology Projects Is Required ............................                                 6\n\n                Various Factors Caused Cost Increases and Delays ....................................                                 7\n\n                Lack of Documentation Hindered Appropriate Oversight ..............................                                   8\n\n                Recommendations ..........................................................................................            9\n\n                Agency Comments and OIG Evaluation.........................................................                           9\n\n\n\n\nAppendices\n   A    Agency Response to Draft Report \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                                                        11\n\n\n   B    Distribution ..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                                                                                15\n\n\x0c                               Chapter 1\n                                Introduction\n\nPurpose\n          We evaluated the processes used by Environmental Protection Agency (EPA)\n          managers to oversee the development of information technology projects.\n          Specifically, we sought to determine whether these processes helped produce\n          intended results. We also sought to determine how well Agency management\n          monitored these projects.\n\nBackground\n          Information technology investments can significantly impact an organization's\n          performance. EPA needs to effectively manage these investments in a cost-\n          effective manner. The Clinger-Cohen Act of 1996 (Public Law 104-106) and\n          Office of Management and Budget (OMB) Circular A-130 both require agency\n          chief information officers to oversee information technology investments.\n\n          At EPA, the initial Agency guidance governing the projects in our review was\n          Chapter 17 of the Information Resources Management (IRM) Policy, September\n          1994, which identified the life cycle requirements to develop information system\n          projects. One requirement was for System Managers to prepare decision papers\n          that updated the status of system development, provided assessments of projected\n          versus actual project costs, and described work to be accomplished as projects\n          advanced from one phase to the next. Another requirement was for System\n          Sponsors to approve or disapprove decision papers, and conduct periodic life\n          cycle management reviews to evaluate costs and efficiency of operations.\n\n          In December 2003, OEI replaced Chapter 17 with its Interim Policy. This\n          document continued the role and responsibilities previously established for\n          information technology projects\xe2\x80\x99 System Managers. However, it added the role\n          of a System Owner to approve decision papers as projects advanced from one\n          phase to the next.\n\n          To inform decision makers of the risks associated with project development,\n          procedures under the Interim Policy also continued the previous requirement to\n          prepare documentation at various life cycle phases, as follows:\n\n\n\n\n                                          1\n\n\x0c                           Initiation Decision Paper\n      Initiation           System Management Plan\n\n\n\n\n      Concept              Security Risk Assessment\n      Definition           Cost-Benefit Analysis\n\n\n\n                           Requirements Decision Paper\n    Requirements\n                           System Test Plan\n      Definition\n                           Security Plan\n\n\n\n                           Development Decision Paper\n       Design\n\n\n\n\n    Construction           User/System Documentation\n\n\n\n                           System Implementation Plan\n                           Technical Vulnerability Assessment\n       Testing\n                           Security Test & Evaluation (ST&E)\n                           Report Certifier's Statement\n\n\n\n   Implementation          Implementation Decision Paper\n\n\n\n\n    Operations &\n                           Security Controls Review\n    Maintenance\n\n\n\n\n     Termination           Retirement Decision Paper\n\n\n\nIn accordance with the Clinger-Cohen Act, EPA implemented a Capital Planning\nand Investment Control Process in 1997 to maximize the value and assess and\nmanage the risks of information technology acquisitions. Each year since that\ntime, EPA has continually improved the Capital Planning and Investment Control\n\n\n\n                                2\n\n\x0c         Process to make it more structured and strategic. Specific process improvements\n         included:\n\n            \xe2\x80\xa2\t Creating a senior management information technology investment review\n               board to oversee and select information technology projects;\n\n            \xe2\x80\xa2\t Defining selection criteria, and using peer review to analyze each\n               information technology investment; and\n\n            \xe2\x80\xa2\t Automating the process to facilitate proposal preparation and allow\n               continuous monitoring of information technology investments.\n\n         Furthermore, the Agency\xe2\x80\x99s Capital Planning and Investment Control Process has\n         evolved to include a rigorous Earned Value Management program under which all\n         major information technology investments must adhere. Earned value\n         management is the Agency\xe2\x80\x99s mechanism to review cost, schedule, and\n         performance for major information technology investments in development. The\n         Earned Value Management program, administered by OEI, requires that project\n         managers track project cost, schedule, and performance, and report the results to\n         the senior management review board on a quarterly basis. OEI officials stated\n         earned value management results are used by the Chief Information Officer to\n         report to the EPA Administrator annually on the status of information technology\n         projects.\n\nScope and Methodology\n         From May 2004 through April 2005, we conducted our field work at EPA\n         Headquarters in Washington, DC. We reviewed management internal controls for\n         the review and oversight of information technology project development. We\n         requested and reviewed system life cycle documentation in accordance with\n         Federal and Agency criteria, and interviewed Agency personnel involved with the\n         system life cycle development of the projects selected for review. We conducted\n         this audit in accordance with Government Auditing Standards, issued by the\n         Comptroller General of the United States.\n\n         Our review focused on information technology development and adherence to life\n         cycle policies and procedures. To identify systems in development, we reviewed\n         the 26 fiscal year 2005 Capital Planning and Investment Control business cases\n         EPA submitted to OMB. We initially selected for review three business cases,\n         representing $36.55 million, or 27 percent, of the $134.79 million system\n         development funding requests for fiscal year 2005 and beyond:\n\n\n\n\n                                         3\n\n\x0c            System Owner                   System\n            Office of                      Financial Replacement System (FinRS)\n            Chief Financial Officer\n            Office of Air and              Clean Air Markets Division Business System (CAMDBS)\n            Radiation\n            Office of Administration and   Integrated Grants Management System (IGMS)\n            Resources Management\n\n           FinRS\xe2\x80\x99 and CAMDBS\xe2\x80\x99 business cases reported scheduling variances to OMB in\n           September 2003, which indicated potential problems with system development.\n           The IGMS business case did not contain any variances at the time of reporting.\n           At EPA\xe2\x80\x99s request, we substituted IGMS with OEI\xe2\x80\x99s Environmental Information\n           Integration and Portal Development system, but after determining that system was\n           still in the initiation rather than design phase, we decided to concentrate on FinRS\n           and CAMDBS.\n\n           We reviewed the PeoplePlus component of the FinRS project because schedule\n           delays and cost overruns had occurred during its development. PeoplePlus\n           combines EPA\xe2\x80\x99s payroll processing and human resources systems. PeoplePlus\n           supports the Office of Chief Financial Officer\xe2\x80\x99s payroll processing requirements\n           and the Office of Administration and Resources Management\xe2\x80\x99s human capital\n           management responsibilities.\n\n           For CAMDBS, the Office of Air and Radiation recognized in 1999 that\n           significant technological changes had occurred and believed it needed a new\n           system. As a result, Office of Air and Radiation began replacing its Acid Rain\n           Data System with CAMDBS, which integrates all the functions and data that\n           support the emission trading programs.\n\nResults in Brief\n\n           OEI did not sufficiently oversee information technology projects to ensure they\n           met planned budgets and schedules. The increased cost and schedule delays for\n           the projects we reviewed may have been averted or lessened with adequate\n           oversight. PeoplePlus cost at least $3.7 million more than originally budgeted and\n           took 1 year longer than planned to deploy. Modifications to CAMDBS\n           development have already increased costs about $2.8 million and extended the\n           target completion date by 2 years. Following implementation of the Clinger-\n           Cohen Act, the Agency did not revise procedures under Chapter 17 of the IRM\n           Policy to have the Chief Information Officer evaluate information technology\n           program performance. Also, EPA did not include responsibilities under its\n           Interim Policy that required the Chief Information Officer to evaluate the\n           performance of the Agency\xe2\x80\x99s information technology program. In addition,\n           processes under the Agency\xe2\x80\x99s Capital Planning and Investment Control Process,\n\n\n\n                                              4\n\n\x0cgoverned by OEI, did not ensure that System Managers prepared and submitted\nfor review necessary project documentation.\n\nWe recommend that OEI revise procedures under its Interim Policy to include the\nChief Information Officer having responsibility for conducting independent\nreviews of projects, and to better define requirements of specific life cycle\ndocumentation to address risks elements. OEI should also ensure that established\nprocedures are followed under the Interim Policy to make certain that System\nManagers provide required system life cycle documentation, and that System\nOwners review and approve that documentation before projects advance.\n\nOEI agreed with the goals sought in the draft audit report, and substantially\nagreed with the recommendations. OEI requested that the final report include a\nmore complete picture of the work they have done to manage the Capital Planning\nand Investment Control and Earned Value Management governance processes.\nAs appropriate, we revised the final report in response to OEI\xe2\x80\x99s request. Our\nevaluation of OEI\xe2\x80\x99s response to the draft report is in Chapter 2. We included\nOEI\xe2\x80\x99s complete response as Appendix A.\n\n\n\n\n                                5\n\n\x0c                                Chapter 2\n          OEI Needs to Improve Oversight of\n     Information Technology Project Development\n\n          OEI did not sufficiently oversee information technology projects to ensure they\n          met planned budgets and schedules. The increased costs and schedule delays for\n          the following projects we reviewed may have been averted or lessened with\n          adequate oversight:\n\n          \xe2\x80\xa2\t PeoplePlus: This cost at least $3.7 million more than originally budgeted and\n             took 1 year longer than planned to deploy.\n\n          \xe2\x80\xa2\t CAMDBS: Modifications to system development have already increased\n             costs about $2.8 million and extended the target completion date by 2 years.\n\n          Following implementation of the Clinger-Cohen Act, the Agency did not revise\n          procedures under Chapter 17 of the IRM Policy to have the Chief Information\n          Officer evaluate information technology program performance. Also, OEI did not\n          include responsibilities under its Interim Policy that required the Chief\n          Information Officer to evaluate the performance of the Agency\xe2\x80\x99s information\n          technology program. In addition, requirements under the Agency\xe2\x80\x99s Capital\n          Planning and Investment Control Process, governed by OEI, did not effectively\n          ensure that System Managers prepared and submitted for review necessary life\n          cycle documentation. Consequently, OEI did not know that System Sponsors did\n          not ensure PeoplePlus and CAMDBS System Managers completely documented\n          risks associated with system development. The lack of project documentation\n          also prevented the appropriate level of oversight for the different phases of\n          development, and resulted in decision makers not having the information needed\n          to make fully informed decisions regarding project risks.\n\nOversight of Information Technology Projects Is Required\n          The Clinger-Cohen Act of 1996 (Public Law 104-106) and OMB Circular A-130\n          require the Chief Information Officer to evaluate information technology\n          investments and advise on whether to continue, modify, or terminate projects.\n\n          Chapter 17 of the IRM Policy, September 1994, identified the Agency\xe2\x80\x99s initial life\n          cycle requirements needed to develop information systems projects. The manual\n          required a System Management Plan that contains decision papers showing that\n          each stage of the project\xe2\x80\x99s development was approved ahead of time. Chapter 17\n          also established certain management roles and responsibilities:\n\n\n\n                                           6\n\n\x0c                 \xe2\x80\xa2\t The System Sponsors were tasked with approving or disapproving decision\n                    papers, and conducting periodic life cycle management reviews to evaluate\n                    costs and efficiency of operations.\n\n                 \xe2\x80\xa2\t The System Managers were to manage the system\xe2\x80\x99s life cycle process, prepare\n                    the System Management Plan and other decision papers, and obtain review\n                    and approval of all decision papers.\n\n                 However, following implementation of the Clinger-Cohen Act, the Agency did\n                 not revise procedures under Chapter 17 of the IRM Policy to have the Chief\n                 Information Officer evaluate information technology program performance.\n                 Furthermore, OEI did not include responsibilities under its Interim Policy that\n                 required the Chief Information Officer to evaluate the performance of the\n                 Agency\xe2\x80\x99s information technology program. In discussions with OEI regarding\n                 project management oversight, officials stated they did not have the personnel to\n                 review the progress of all Agency information technology projects. In response to\n                 our draft report, OEI officials stated it is critical for the Chief Information Officer\n                 to focus on the development of guidance (i.e., policies and procedures) so\n                 program managers can make good decisions. Further, officials responded that the\n                 cornerstone of the Agency\xe2\x80\x99s information technology project development and\n                 review relies on the delegated responsibilities of senior program managers in\n                 organizations that own information technology projects.\n\n                 In accordance with the Clinger-Cohen Act, EPA did implement a Capital\n                 Planning and Investment Control Process in 1997 to maximize the value and\n                 assess and manage the risks of information technology acquisitions. According to\n                 an OEI official, the Capital Planning and Investment Control Process has evolved\n                 to include a rigorous Earned Value Management program to review cost,\n                 schedule, and performance for major information technology investments in\n                 development. However, the Agency\xe2\x80\x99s Capital Planning and Investment Control\n                 Process, and subsequent Earned Value Management program, did not sufficiently\n                 ensure that Systems Managers prepared and submitted for review required life\n                 cycle documentation, such as decision papers and System Management Plans,\n                 used to document the status of system development costs and schedules.\n\nVarious Factors Caused Cost Increases and Delays\n                 According to the Software Engineering Institute,1 major changes to commercial\n                 off-the-shelf software can increase costs and cause delays. This is what happened\n                 to the PeoplePlus project. The System Managers made major changes to the\n                 commercial off-the-shelf software to integrate the human resources component\n                 with the payroll component. In addition, when faced with schedule delays, the\n                 System Managers modified their test approach. Rather than continue with a pilot\n\n1\n  The Software Engineering Institute provides guidance to the Federal Government on developing information\ntechnology projects\n\n\n                                                       7\n\n\x0c          production of PeoplePlus prior to full Agency deployment, the System Manager\n          approved the change to a collaborative test effort. This effort included concurrent\n          system integration testing; independent verification and validation testing; and,\n          user acceptance testing. However, this increased risks because the collaborative\n          test effort eliminated the opportunity to see a live system in operation before\n          deployment.\n\n          Although EPA was originally scheduled to deploy PeoplePlus in October 2003,\n          significant technical failures delayed deployment until October 2004. According\n          to earned value management calculations, the Office of Chief Financial Officer\n          budgeted $13.4 million, for development and deployment of PeoplePlus by\n          October 2003, but incurred additional costs of $3.7 million, bringing the total to\n          $17.1 million as of October 2004. In addition, the Office of Administration and\n          Resources Management spent $8 million on PeoplePlus, thus bringing the total\n          development cost to $25.1 million. (We could not determine the amount initially\n          budgeted by the Office of Administration and Resources Management.)\n\n          The Office of Air and Radiation, which began developing CAMDBS in 2001, had\n          estimated a total cost of $13.7 million and completion by 2006. However, System\n          Managers now estimate an additional $2.8 million will be needed, for a total of\n          $16.5 million. Further, because the project is far more complex than originally\n          envisioned, the Office of Air and Radiation now estimates project completion in\n          2008, a 2-year extension.\n\nLack of Documentation Hindered Appropriate Oversight\n          Life cycle documentation, such as decision papers, is important for two reasons.\n          First, they summarize those aspects of the analysis and decision of a given phase\n          that are important to program management. Second, they are used to request\n          approval to continue the project to the next phase. According to the OEI Interim\n          Policy, System Managers are to submit the decision papers to System Owners,\n          who are required to review the information and decide whether to advance the\n          project to the next life cycle phase. Further, EPA\xe2\x80\x99s Capital Planning and\n          Investment Control Process require that System Managers ensure that necessary\n          life cycle management documentation, such as decision papers, are prepared and\n          submitted for review.\n\n          However, both PeoplePlus and CAMDBS advanced from phase to phase even\n          though the System Managers did not prepare all of the required documents. For\n          example, there was no decision paper prepared during the \xe2\x80\x9cImplementation\n          Phase\xe2\x80\x9d of life cycle development to document the inherent risks to changing\n          commercial off-the-shelf software, or to the risks involved in modifying the\n          PeoplePlus testing approach. The CAMDBS System Manager did not prepare\n          any required decisions papers, including the System Management Plan decision\n          paper. The System Management Plan is the core document that provides the\n          overall framework for the management of the system development.\n\n\n                                           8\n\n\x0c         Office of Chief Financial Officer personnel said OEI\xe2\x80\x99s Interim Policy is vague\n         and open to interpretation on the content of life cycle documentation, in particular\n         decision papers. However, the personnel did not inform OEI of their concerns\n         regarding the content requirements of life cycle documentation. In the case of\n         CAMDBS, the System Manager was not aware of the documentation requirement.\n\n         The lack of project documentation prevents the appropriate level of oversight for\n         the different phases of development, and results in decision makers not having the\n         information needed to make fully informed decisions regarding project risks.\n         Further, OEI did not monitor the projects or verify the accuracy and completeness\n         of the life cycle documentation required under their Policy.\n\n         During our review, OEI officials acknowledged their oversight of information\n         technology projects could be strengthened. OEI officials informed us that they\n         plan to align procedures under their Capital Planning and Investment Control\n         Process with those under their Interim Policy to effect corrective action in\n         response to our findings.\n\nRecommendations\n\n         We recommend that the Assistant Administrator for Environmental Information:\n\n            2-1     Revise the Interim Policy to include the Chief Information Officer\n                    having responsibility for conducting independent reviews of Agency\n                    information technology projects, to be in accordance with the Clinger-\n                    Cohen Act and OMB Circular A-130.\n\n            2-2     Revise procedures under the Interim Policy to define requirements for\n                    life cycle documentation, such as decision papers; and to address risk\n                    elements, such as major changes to commercial off-the-shelf software\n                    and the system test approach.\n\n            2-3     Ensure that Systems Managers follow established procedures and\n                    provide required system life cycle documentation to appropriate levels\n                    of management regarding risks associated with information technology\n                    projects at each phase, and that System Owners follow established\n                    procedures to review and approve that documentation before projects\n                    advance from one life cycle phase to the next.\n\nAgency Comments and OIG Evaluation\n\n         OEI concurred with our recommendations, and agreed that additional tools for\n         oversight are needed, that managers must take responsibility, and that the Chief\n         Information Officer should set forth the policy and framework. OEI requested\n         that the report be revised to include a more complete picture of the work that has\n\n\n                                          9\n\n\x0cbeen done to manage the Capital Planning and Investment Control and Earned\nValue Management governance processes. We revised our report in response to\nOEI\xe2\x80\x99s request.\n\nOEI officials indicated that Interim Policy procedures were previously established\nfor required documentation during various system life cycle management phases,\nand management review of such documentation. Our report acknowledges these\nrequirements, points out that program offices were not meeting these\nrequirements, and notes that OEI was not aware that these requirements were not\nbeing followed. For these reasons, we believe the Chief Information Officer\nshould have an increased role in evaluating the status of Agency information\ntechnology projects and should conduct independent reviews of information\ntechnology projects.\n\nIn addition, OEI officials said they believe the OIG\xe2\x80\x99s review may have been based\non previous versions of the revised Interim Policy and that the current policy\nshould now reflect OIG comments and suggestions provided in February 2005.\nHowever, our research and interviews with Agency officials indicate that OEI has\nnot formally approved or promulgated a new Interim Policy. As such, no new\nInterim Policy supersedes the December 29, 2003, Interim Policy requirements\napplicable during this review.\n\n\n\n\n                                10\n\n\x0c                                                                                    Appendix A\n\n                   Agency Response to Draft Report\n\n\n\n                                          July 28, 2005\n\nMEMORANDUM\n\nSUBJECT:       Response to June 15, 2005, Draft Office of Inspector General Audit Report: EPA\n               Needs to Improve Oversight of Its Information Technology Projects, Assignment\n               No. 2004-000857\n\nFROM:          Kimberly T. Nelson /s/\n               Assistant Administrator and Chief Information Officer\n\nTO:            Nikki L. Tinsley\n               Inspector General\n\n\n       Thank you for the opportunity to respond to the June 15, 2005, Draft Office of Inspector\nGeneral Audit Report: EPA Needs to Improve Oversight of Its Information Technology\nProjects, Assignment No. 2004-000857.\n\n        The Office of Environmental Information agrees with the goals sought in the draft audit\nreport, and we substantially agree with the recommendations. We agree additional tools for\noversight are needed, that managers must take responsibility, and that the Chief Information\nOfficer will set the policy framework. We would appreciate the report being revised to include a\nmore complete picture of the work that we have done to manage the Capital Planning and\nInvestment Control and Earned Value Management governance processes.\n\n        I have attached a detailed response to the three recommendations raised in the report. If\nyou have any questions regarding this response, please contact me at (202) 564-6665, or if your\nstaff have questions please contact Odelia Funke, Acting Director of the Mission Investment\nSolutions Division, at (202) 566-0667.\n\nAttachment\n\ncc:    Rudolph Brevard, OIG\n\n\n\n\n                                                11\n\n\x0c                   Office of Environmental Information Response to \n\n             June 15, 2005, Draft Office of Inspector General Audit Report: \n\n        \xe2\x80\x9cEPA Needs to Improve Oversight of Its Information Technology Projects\xe2\x80\x9d \n\n\nOffice of Inspector General Recommendation: 2-1. Revise the Interim Policy to include the\nChief Information Officer having responsibility for conducting independent reviews of Agency\ninformation technology projects, in accordance with the Clinger-Cohen Act and OMB Circular\nA-130.\n\nOffice of Environmental Information Response:\n\nThe Office of Environmental Information (OEI) endorses the value of having independent\nreviews as a tool for project oversight. The cornerstone of Agency information technology (IT)\nproject development and review will continue to be grounded on the delegated responsibilities of\nsenior program managers in the organizations that own IT projects. It is critical for the Chief\nInformation Officer (CIO) to focus on guidance so program managers can make good decisions.\nIn keeping with the CIO\xe2\x80\x99s IT leadership in management of the Capital Planning and Investment\nControl (CPIC) process, OEI will ensure reviews are conducted with appropriate independence\nbut without substantial cost increase. OEI will add the following review elements to its CPIC\ngovernance system:\n\n       o\t formal delegation of this responsibility through the System Life Cycle Management\n          Policy\n       o\t an additional question in the Capital Planning and Investment Control process asking\n          for certification of the completeness of an IT project\xe2\x80\x99s System Life Cycle (SLC)\n          documentation and required approvals\n       o\t increased emphasis on the importance of reviewing solutions architecture documents.\n\nTo address the need for detailed project reviews to help senior managers in program offices, the\nCIO will insist that Independent Verification and Validation be conducted as appropriate,\nestablishing the conditions for independent reviews, and the depth and scope needed. We will\ndevelop a corrective action plan to carry out CIO authority to compel and ensure good reviews.\n\nOffice of Inspector General Recommendation: 2-2. Revise the Interim Policy to define\nrequirements for life cycle documentation, such as decision papers; and to address risk elements\nsuch as major changes to commercial off-the-shelf software and system test approach\n\nOffice of Environmental Information Response:\n\nWe agree on the need for life cycle documentation, and that addressing risk elements is a key\ncomponent. Our policy framework takes a tiered approach, differentiating between \xe2\x80\x9cPolicy\xe2\x80\x9d and\n\xe2\x80\x9cProcedures.\xe2\x80\x9d The Office of the Inspector General\xe2\x80\x99s (OIG) review of the Interim Policy must\nhave been based upon previous versions of the revised SLC Management Policy. The SLC\nManagement Policy now reflects OIG comments and suggestions received in February of this\n\n\n\n                                               12\n\n\x0cyear. It will require that documentation be produced, and the SLC Management Procedure will\nelaborate on what that documentation is, and what information is required in specific documents.\n\nThe Interim Policy requires documentation during System Life Cycle Management Phases,\nincluding security planning, risk assessments and decision papers. Additionally, the Interim\nPolicy requires documentation based on requirements of IT Investment Management, including\nEnterprise Architecture (EA) and Capital Planning and Investment Control (CPIC). This\ndocumentation was further described in approved Federal and Agency documents that supported\nthe Interim Policy, including the Interim Procedure. The \xe2\x80\x9cPolicy\xe2\x80\x9d states the high level goals of\nthe Agency, while the \xe2\x80\x9cProcedure\xe2\x80\x9d explains how to meet the goals established in the \xe2\x80\x9cPolicy.\xe2\x80\x9d\nThe \xe2\x80\x9cProcedure\xe2\x80\x9d supports the \xe2\x80\x9cPolicy,\xe2\x80\x9d and requirements are mandated. The Interim Procedure\nlists and describes in more detail the documentation requirements during management of the\nSystem Life Cycle.\n\nThe Interim Policy also requires documented management review and approval. This includes\nthe review and approval of a system\xe2\x80\x99s decision documents prior to the system advancing from\none phase to another, prior to the incremental expenditure of resources, and prior to being\ndeployed.\n\nThe Interim Procedure also requires System Managers to submit \xe2\x80\x9cDecision Papers\xe2\x80\x9d to\nmanagement for review and approval in order to advance the system from one SLC phase to the\nnext. These documents are part of the System Management Plan (SMP), one of the major\ndocuments required for SLC Management. Specifically, the Interim Procedure describes the\n\xe2\x80\x9cDecision Papers\xe2\x80\x9d as:\n\n       A decision document presented to management. It summarizes those aspects of the\n       analysis and decisions of a given phase or sub phase that are important to program\n       management and requests approval to continue the project. The EPA life-cycle model\n       provides for decision papers to be prepared at the beginning of the Definition,\n       Development or Acquisition, Implementation, and Termination Phases and at the end of\n       the Requirements Definition Sub phase. The level of detail for decision papers should be\n       appropriate to the category of the system. All decision papers are included in the SMP as\n       attachments. (Interim Procedure, pg. 13)\n\nOther examples defining the requirements of system documents can be found in the \xe2\x80\x9cDefinition\xe2\x80\x9d\nsection of the Interim Procedure. Definitional requirements can also be found in other standards\nadopted by the Agency, specifically National Institute of Standards and Technology (NIST) 800\n64, \xe2\x80\x9cSecurity Considerations in the Information System Development Life Cycle.\xe2\x80\x9d\n\nFinally, it should be noted that the Interim Policy is being revised and will continue to require\ndocumentation, as well as management review and approval, throughout System Life Cycle\nmanagement. Additionally, the Interim Procedure is also being revised and will expand the\ndefinitional requirements of documentation in the System Life Cycle. They will include the\nrequirements of the SLC Management Policy, as well as Enterprise Architecture, CPIC, and\nSecurity. The revised SLC Management Procedure will also provide templates for these\ndocuments, as tools for system developers.\n\n\n                                                 13\n\n\x0cOffice of Inspector General Recommendation: 2-3. Establish formal procedures to make\ncertain that System Managers provide required system life cycle documentation to appropriate\nlevels of management regarding risks associated with information technology projects at each\nphase, and that System Owners review and approve that documentation before projects advance\nfrom one life cycle phase to the next.\n\nOffice of Environmental Information Response:\n\nAs noted above, the Interim Procedure requires management review and approval during each\nphase of the System Life Cycle through \xe2\x80\x9cDecision Papers\xe2\x80\x9d found in the SMP. Additionally, the\nInterim Policy requires \xe2\x80\x9cAuthorization to Process\xe2\x80\x9d during the Implementation Phase. The\n\xe2\x80\x9cAuthorization to Process\xe2\x80\x9d is defined by the Interim Procedure as:\n\n       A management control, consisting of a document signed by the management official\n       responsible for a general support system or major application. (This management official\n       is sometimes referred to as the \xe2\x80\x9cDesignated Approving Authority.\xe2\x80\x9d) It authorizes an\n       information system to operate, prior to beginning processing or use of the system.\n       Authorization is equivalent to the term \xe2\x80\x9caccreditation.\xe2\x80\x9d For a system, the authorization is\n       based on implementing the system security plan. For an application, the authorization is\n       based on confirming that the security plan(s) implemented for the systems on which the\n       application operates, adequately secure the application. Results of the most recent tests\n       and/or assessments are factored into management authorizations. Management\n       authorization implies accepting the risk of each system used by the application (derived\n       from Appendix III, Office of Management and Budget (OMB) Cir. A-130). (Interim\n       Procedure, pg. 11)\n\nAdditionally, \xe2\x80\x9cRe-authorization to Process\xe2\x80\x9d is required during the Operations and Maintenance\nPhase. Formal procedures ensuring documentation is submitted to management were in place\nstarting when the Interim Procedure was approved (12/29/03, extended on 4/29/05).\n\nAlso, as is stated in the Interim Procedure, documentation of risks is required in the \xe2\x80\x9cSecurity\nPlan,\xe2\x80\x9d which is updated based on \xe2\x80\x9cSecurity Risk Assessments.\xe2\x80\x9d Risk assessments are required\nnot only as part of System Life Cycle, but also in the Agency Network Security Policy and its\nsupporting Procedures and guidance.\n\nIn summary, the Interim Procedure already addresses OIG\xe2\x80\x99s concerns. It requires the needed\ndocumentation, as well as management review and approval. As OEI revises the Interim\nProcedure we will continue to support and strengthen this requirement.\n\n\n\n\n                                                14\n\n\x0c                                                                       Appendix B\n\n                                    Distribution\n\nOffice of the Administrator\nAssistant Administrator for Environmental Information\nAssistant Administrator for Administration and Resources Management\nAssistant Administrator for Air and Radiation\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nDirector, Office of Technology Operations and Planning\nDirector, Systems Planning and Integration Staff\nActing Director, Mission Investment Solutions Division\nAudit Coordinator, Office of Environmental Information\nAudit Coordinator, Office of Administration and Resources Management\nAudit Coordinator, Office of Air and Radiation\nAudit Coordinator, Office of Chief Financial Officer\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nInspector General\n\n\n\n\n                                             15\n\n\x0c"